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Abstract. Writing formal specifications for distributed systems is difficult. Even simple 
consistency requirements often turn out to be unrealizable because of the complicated 
information flow in the distributed system: not all information is available in every com¬ 
ponent, and information transmitted from other components may arrive with a delay or 
not at all, especially in the presence of faults. The problem of checking the distributed 
realizability of a temporal specification is, in general, undecidable. Semi-algorithms for 
synthesis, such as bounded synthesis, are only useful in the positive case, where they con¬ 
struct an implementation for a realizable specification, but not in the negative case: if 
the specification is unrealizable, the search for the implementation never terminates. In 
this paper, we introduce counterexamples to distributed realizability and present a method 
for the detection of such counterexamples for specifications given in linear-time temporal 
logic (LTL). A counterexample consists of a set of paths, each representing a different 
sequence of inputs from the environment, such that, no matter how the components are 
implemented, the specihcation is violated on at least one of these paths. We present a 
method for finding such counterexamples both for the classic distributed realizability prob¬ 
lem and for the fault-tolerant realizability problem. Our method considers, incrementally, 
larger and larger sets of paths until a counterexample is found. For safety specihcations 
in weakly ordered architectures we obtain a decision procedure, while counterexamples 
for full LTL and arbitrary architectures may consist of inhnitely many paths. Experimen¬ 
tal results, obtained with a QBE-based prototype implementation, show that our method 
finds simple errors very quickly, and even problems with high combinatorial complexity, 
like the Byzantine Generals’ Problem, are tractable. 


1. Introduction 

The goal of program synthesis, and systems engineering in general, is to build systems that 
satisfy a given specification. Sometimes, however, this goal is unattainable, because the 
conditions of the specification are impossible to satisfy in an implementation. A textbook 
example for such a case is the Byzantine Generals’ Problem, introduced in the early 1980s by 
Lamport et ah [LSP82]. Three generals of the Byzantine army, consisting of one commander 
and two lieutenants, need to agree on whether they should “attack” or “retreat.” For this 
purpose, the commander sends an order to the lieutenants, and all generals then exchange 
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messages with each other, reporting, for example, to one general which messages they have 
received from the other general. The problem is that one of the generals is a traitor and 
can therefore not be assumed to tell the truth; the tale of the Byzantine generals is, after 
all, just an illustration for the problem of achieving fault tolerance in distributed operating 
systems, where we would like to achieve consensus even if a certain subset of the nodes fail. 
Of course, we cannot expect the traitor to agree with the loyal generals, but we might still 
expect a loyal lieutenant to agree with the order issued by a loyal commander, and two loyal 
lieutenants to reach a consensus in case the commander is the traitor. This specification 
is, however, unrealizable in the setting of the three generals (and, more generally, in all 
settings where at least a third of the nodes are faulty). 

Detecting unrealizable specifications is of great value because it avoids spending imple¬ 
mentation effort on specifications that are impossible to satisfy. If the system consists of a 
single process, then unrealizable specifications can be detected with synthesis algorithms, 
which detect unrealizability as a byproduct of attempting to construct an implementation. 
For distributed systems, the problem is more complicated: in order to show that there is no 
way for the three generals to achieve consensus, we need to argue about the knowledge of 
each general. The key observation in the Byzantine Generals’ Problem is that the loyal gen¬ 
erals have no way of knowing who, among the other two generals, is the traitor and who is 
the second loyal general. For example, the situation where the commander is the traitor and 
orders one lieutenant to “attack” and the other to “retreat” is indistinguishable, from the 
point of view of the loyal lieutenant who is ordered to attack, from the situation where the 
commander is loyal and orders both lieutenants to attack, while the traitor claims to have 
received a “retreat” order. Since the specification requires the lieutenant to act differently 
(agree with the other lieutenant vs. agree with the commander) in the two indistinguishable 
situations, we reach a contradiction. 

Since realizability for distributed systems is in general an undecidable problem [PR90], 
the only available decision procedures are limited to special cases, such as pipeline and ring 
architectures [KVOlb, FS05]. There are semi-algorithms for distributed synthesis, such as 
bounded synthesis [FS13], but the focus is on the search for implementations rather than on 
the search for inconsistencies: if an implementation exists, the semi-algorithm terminates 
with such an implementation, otherwise it runs forever. In this paper, we take the opposite 
approach and study counterexamples to realizability. Intuitively, a counterexample collects 
a sufficient number of scenarios such that, no matter what the implementation does, an 
error will occur in at least one of the chosen scenarios. As specifications, we consider 
formulas of linear-time temporal logic (LTL). It is straightforward to encode the Byzantine 
Generals’ Problem in LTL. Another interesting example is the famous CAP Theorem, a 
fundamental result in the theory of distributed computation conjectured by Brewer [BreOO]. 
The CAP Theorem states that it is impossible to design a distributed system that provides 
Consistency, Availability, and Partition tolerance (CAP) simultaneously. We assume there 
is a fixed number n of nodes, that every node implements the same service, and that there are 
direct communication links between all nodes. We use the variables req^ and out* to denote 
input and output of node i, respectively. The consistency and availability requirements 
can then be encoded as the LTL formulas ^ outj+i) and (Vi<i<n^®9j) ^ 

(O partition tolerance is modeled in a way that there is always at most 

one node partitioned from the rest of the system, i.e., we have n different fault-tolerance 
scenarios where in every scenario all communication links to one node are faulty. 
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In both examples, a finite set of input sequences suffices to force the system into violating 
the specification on at least one of the input sequences. In this paper, we present an efficient 
method for finding such counterexamples. It turns out that searching for counterexamples 
is much easier than the classic synthesis approach of establishing unrealizability by the non¬ 
existence of strategy trees [PR90,KV01b,FS05]. The difficulty in synthesis is to enforce the 
consistency condition that the strategy of a process must act the same way in all situations 
the process cannot distinguish. On the strategy trees, this consistency condition is not an uj- 
regular (or even decidable) property. When analyzing a counterexample, on the other hand, 
we only check consistency on a specific set of sequences, not on a full tree. This restricted 
consistency condition is an cu-regular property and can, in fact, simply be expressed in 
LTL as part of the temporal specification. Our QBF-based prototype implementation finds 
counterexamples for the Byzantine Generals’ Problem and the CAP Theorem within just a 
few seconds. 

Related Work. To the best of the authors’ knowledge, there has been no attempt in 
the literature to characterize unrealizable specifications for distributed systems beyond 
the restricted class of architectures with decidable synthesis problems, such as pipelines 
and rings [KVOlb, FS05]. By contrast, there is a rich literature concerning unrealizability 
for open systems, that is, single-process systems interacting with the environment [Chu63, 
ALW89,KV97]. Schuppan [Schl2] introduced the notion of unrealizable cores to identify a 
minimal subformula that contains the reason for unrealizability. In robotics, there have been 
recent attempts to analyze unrealizable specifications [RKGll]. The results are also focused 
on the reason for unrealizability, while our approach tries to determine if a specification is 
unrealizable. Moreover, they only consider the simpler non-distributed synthesis of GR(I) 
specifications, which is a subset of LTL. There are other approaches concerning unrealizable 
specifications in the non-distributed setting that also use counterexamples [CHJ08,LDS1I]. 
There, the system specifications are assumed to be correct and the information from the 
counterexamples are used to modify environment assumptions in order to make the spec¬ 
ifications realizable. The Byzantine Generals’ Problem is often used as an illustration for 
knowledge-based reasoning in epistemic logics, see [HM84] for an early formalization. Con¬ 
cerning the synthesis of fault-tolerant distributed systems, there is an approach to synthesize 
fault-tolerant systems in the special case of strongly connected architectures [DF09]. A pre¬ 
liminary version of this paper appeared as [FT14]. The present paper extends our earlier 
work by removing restrictions to acyclic architectures and providing a completeness result 
for safety specifications and weakly ordered architectures, as well as a general encoding of 
fault-tolerant synthesis. 


2. Distributed Realizability 

A specification is realizable if there exists an implementation that satisfies the specification. 
For distributed systems, the realizability problem is typically stated with respect to a specific 
system architecture. Figure 1 shows some typical example architectures: an architecture 
consisting of independent processes, a pipeline architecture, and a join architecture. The 
architecture describes the communication topology of the distributed system. For example, 
an edge from pi to p 2 labeled with (x, b) indicates that x and b are shared variables between 
processes pi and p 2 , where pi writes to x and p 2 reads from b. The classic distributed 
realizability problem is to decide whether there exists an implementation (or strategy) for 
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each process in the architecture, such that the joint behavior satisfies the specification. In 
this case, the distinction between the shared variables is unnecessary as the valuation of the 
variable that is read from is always equal to the valuation of the variable that is written to. 
In this paper, we are furthermore interested in the synthesis of fault-tolerant distributed 
systems, where the processes and the communication between processes may become faulty. 
Here, the distinction of the shared variables is used to model the different types of faults. 

LTL. We use linear-time temporal logic (LTL) [Pnu77] to express linear-time properties, 
that are properties P C (2^)“^ for a finite alphabet S, also called atomic propositions. LTL 
consists of the temporal operators Next O and Until U. The syntax is given by the grammar 

If X \ \ ip\/ip\Oip\pUip , 

where x € S. We define ip f\ il) as V -■V’), the Weak Until operator p W 'll) as 

^ p y [p U 'll)), and the Release operator p TZ ip as -^{^p U -''ip). We use the standard 
abbreviations true = x V -ix and false = x A -ix, for some x € S, as well as p ^ 'ip = ^p V f), 
p Ip = [p ^ Ip) A ('ll) ^ p), \Z1 p ^ false TZ p, and p = true U p. 

For f > 0, the satisfaction of a path a G (2^)^^ on position i with respect to formula (^, 

denoted by a, i I=ltl P^ is inductively defined as 

• cj, i I=ltl a: X ^ (T(f), 

• <7, i Nltl -'P -yy O', i Rltl P, 

• cr, i Lltl py Ip a,i I=ltl p ot a,i I=ltl V’, 

• cr, i Lltl Op a,i + l I=ltl P, and 

• a,i I=ltl pU'ip 3n > i.a,n I=ltl 'f’ and Vm G {i,... ,n — 1}. a,m I=ltl P , 

where x G S and p,'ip are LTL formulas. We say a path a G (2^)^^ is satisfied by p, if 

O', 0 I=ltl P- The language of an LTL formula [[(/j]] C (2^)^^ is defined as the set of paths 
that satisfy p. In Section 6, we use the syntactically restricted fragments safety LTL and 
co-safety LTL [KVOla]. These fragments are given by the grammars 

p y.= X \ ^x \ p y p \ p A p \ O P \ 0 P \ P TZ p, and (safety LTL) 

p X \ ^x \ py p \ p A p \ 0 P \ O P \ pl^ P ) (co-safety LTL) 

respectively, where x G S. Safety and co-safety formulas are dual with respect to negation. 

Coordination Logic. We use Coordination logic (CL) [FSIO] to give uniform and precise 
definitions of the various realizability problems of interest. CL is a game-based extension 
of LTL that makes strategies—and their observations—to first class citizens of the logic. 
CL divides the set of atomic propositions into strategic and coordination variables, where 
the latter represent observations for the strategies represented by strategic variables. The 
strategy quantifier 3(7 > s introduces a strategy for s that bases its decisions only on the 
history of valuations of the variables in (7. This allows us to pose queries on the existence of 
strategies, with specific observations, within the logic. In order to specify the realizability 
of distributed systems, we use the strategy quantifier 3(7 > s to express the existence of an 
implementation for a process output s based on input variables (7. 
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(a) 


(b) 


(c) 


Figure 1: Example architectures 


CL Syntax. CL formulas contain two types of variables: the set C of input (or coordina¬ 
tion) variables, and the set S of output (or strategy) variables. In addition to the usual 
LTL operators Next O, Until U, and Release TZ, CL has the strategy quantifier 3(7 i> s, 
which introduces an output variable s whose values must be chosen based on the history of 
valuations of the inputs (7. The syntax^ is given by the grammar 

ip ::= X \ -'X \ ip y (p \ ip /\ (p \ O ip \ ip U ip \ ip TZ ip \ 3(7 1> s. (/? | V(7 1> s. , 

where x G COS, C C C, and s G S. Beside the standard abbreviations true = x V -^x, 
false = X A -'X, p = true U p, and □ (/? = false IZ p, we use On P as an abbreviation of n 
consecutive Next operators. 

We denote by Q the (possibly empty) quantification prefix of a formula and call the 
remainder the body. For Q G {3,V}, we use Qq if the prefix contains only (^-quantifiers. 
For the purposes of this paper, it suffices to consider the fragment CL 3 that contains only 
existential quantifiers. We furthermore assume that the body is quantifier-free, i.e., that 
the formulas are in prenex normal form (PNF). 

Examples. We demonstrate how to express distributed realizability problems in CL3 with 
the example architectures from Fig. 1. The realizability of an LTL formula V’l in the 
architecture from Fig. 1(a) is expressed by the CL 3 formula 

3{a} > x.3{b} > y.f^i . ( 2 . 1 ) 

Interprocess communication via a shared variable b, as in the pipeline architecture from 
Fig. 1(b), is expressed by separating the information read from b from the output written 
to b. In the following CL 3 formula we use output variable x to denote the output written 
to b: 

3{a} > x.3{b} > y.nib = x) ^'il >2 ( 2 . 2 ) 

The LTL specification ip 2 is qualified by the input-output specification 0(6 = x), which 
expresses that ■02 is required to hold under the assumption that the information written to 
b by process x is also the information read from b by process y. This separation between sent 
and received information is useful to model faults that disturb the transmission. Failing 
processes are specified by omitting the input-output specifications that refer to the failing 
processes. As an example, consider the architecture in Fig. 1(c). The CL 3 formula 

3{a} i> X, y. 3{b, c} > z. {n{c = y) ^ ips) F {o{b = x) ^ ips) (2.3) 

specifies that there exists an implementation such that 03 is guaranteed to hold even if 
process x or y (but not both) fails. 

^This logic is called Extended Coordination Logic in [FSIO]. 
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Figure 2: In (a) and (b) we sketch example strategies for y and x satisfying the CL 3 formula 
30 0 y. 3{a} > x. □ (O ic 0 a) A □ (y ■<->■ O “■?/)• In (c) we visualize the resulting 
computation tree on which the body (LTL) formula is evaluated. 


For a formula <I>, we differentiate two types of coordination variables, external and 
internal. A coordination variable c € C is internal iff the value of c is uniquely defined by 
the input-output specifications. In contrast, external coordination variables provide input 
from the environment. For example, the input a in (2.2) is external while b is internal. 

CL 3 Semantics. We give a quick definition of the CL 3 semantics for formulas in PNF and 
refer the reader to [FSIO] for details and for the semantics of full CL. The semantics is 
based on trees as a representation for strategies and computations. Given a finite set of 
directions T and a finite set of labels S, a (full) Ti-labeled T-tree T is a pair (T*,/), where 
/ : T* ^ S assigns each node u G T* a label l{v). For two trees T and T^ we define the joint 
valuation T © T' to be the widened tree with the union of both labels. We refer to [FSIO] 
for a formal definition. A path u in a S-labeled T-tree T is an w-word ctoiTiiT 2 ... G and 
the corresponding labeled path a'^ is {l{e),ao){l{ao),ai){l{aQai),a2){l{o'oaia2),(73) ■ ■ ■ G 
(S X T)"^. 

For a strategy variable s that is bound by some quantifier QC > s. ip, we refer to C as 
the scope of s, denoted by Scope{s). The meaning of a strategy variable s is a strategy or 
implementation fg : ^ 2 ’^^^, i.e., a function that maps a history of valuations 

of input variables to a valuation of the output variable s. We represent the computa¬ 
tion of a strategy fg as the tree /s) where fg serves as the labeling function 

(cf. Fig. 2(a)-(b)). CL 3 formulas are interpreted over computation trees, that are the joint 
valuations of the computations for strategies belonging to the strategy variables in <S, i.e., 
/s) (cf. Fig. 2(c)). Given a CL 3 formula Qb-^p in prenex normal form 
over strategy variables S and coordination variables C, the formula is satisfiable if there 
exists a computation tree T (over S), such that all paths in T satisfy the LTL formula p, 
i.e., V(T G (2^)‘^.o-'^,0 I=ltl P- 

Prom Distributed Realizability to CL3. We formally introduce the distributed realiz¬ 
ability problem and show reductions from the distributed realizability problem to CL 3 . Let 
F be a finite set of variables. An architecture A is a tuple {P,Penv, {Ip}peP, {Op}p£p), where 
P is the set of processes and penv ^ P is the distinct environment process. Ip denotes 
the set of input variables for process p and Op C F denotes the set of output variables for 
process p. We denote by I = (JpeP input variables and by O = (JpeP Op 

the set of all output variables. The input given by the environment is lenx •= I \ 0, the 
communication variables are / DO. While some input may be shared across processes in 
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the case of broadcasting, the output variables of every pair of processes are assumed to 
be disjoint, i.e.. Op fl Op/ = 0 for all p ^ p' G P. We represent the architecture ^ by a 
directed graph = {N, E), where N = PU Pgnv is the set of vertices and E = N x N the 
set of edges. There is an edge between two vertices {p,p') G E Op H Ip/, i.e., there is a 
communication over shared variables between p and p'. 

An implementation of a process p is a function fp : ( 2 ^p)* —>• 2^p which maps the history 
of valuation of the input variables to a subset of output variables. We say an implementation 
is finite state, if it can be represented by a finite transducer. An implementation for ^ is a set 
of implementations for each process. The distributed realizability problem for architecture 
A and LTL formula ip is to decide whether there is a finite state implementation for every 
process in A such that the system satisfies (p against the environment, i.e., the joint behavior 
of the implementations satisfies p against all input sequences given by the environment; 
Vcr € ( 2 -^)^^. cr'^, 0 I=ltl P where T = 0pgp((2^p)*, fp). 

The distributed realizability problem is decidable for the class of weakly ordered archi¬ 
tectures [FS05], which includes pipelines and rings. Weakly ordered architectures are char¬ 
acterized by the absence of pairs of processes, called information forks, that each have access 
to some information that is hidden from the other process. Consider a tuple {P', V,p,p'), 
where P' is a subset of the processes Pl^{pe,nv}, V' is a subset of the variables disjoint from 
Ip U Ipi, and p,p' G P \ [P' U {penv}) are two different system processes. Such a tuple is 
an information fork if P' together with the edges that are labeled with at least one variable 
from V' forms a subgraph rooted in the environment and there exist two nodes q, q' G P' 
that have edges to p,p', respectively, but are labeled with incomparable sets of variables 
(i.e., neither set is a subset of the other). For example, the architecture in Fig. 1(a) contains 
the information fork {{penv},^.,Pi,V 2 ). A weakly ordered architecture is an architecture that 
does not contain an information fork. 

Definition 2.1. Given a CL 3 formula <1> = Q 3 . Ppath P, where Ppath = □ A(s c)€Ri^ ~ '®) 
for some R C C x S, the induced architecture A^ = {P,penv, {Ip}peP, {Op]p^p) is dehned 
as follows. By abuse of notation, we use V = 5UC as the set of variables in the architecture 
and dehne a process p G P as a set of strategy variables p E S. 

Let P be the quotient of <S according to the equivalence relation = C (5 x <S) with 
s = s' if Scope{s) = Scope{s'), i.e., we group the strategy variables with the same inputs 
together as a single process. For all p G P, we define Ip as Scope{s) for some s G p and Op 
as the union over the dehned communication variables {c | (s,c) G R for some s G p} and 
the strategy variables that are not used for communication {s | (s, c) ^ R for all c G C}. 

Theorem 2.1. The distributed realizability problem over architecture A and LTL formula p 
can he encoded as CL^ formula <^ = 23 . Ppath P with only prenex existential quantifica¬ 
tion. 

Proof. Consider an arbitrary architecture A = {P,Penv, {Ip}p£P, {Op}pep) and an LTL for¬ 
mula p. We give a CL 3 formula that is satishable if, and only if, p is realizable in A. 
For variable v G V, we denote the coordination variable and strategy variable used in the 
encoding by c„ and s„, respectively. Analogously we use C := {c„ | u G /} as the set of 
coordination variables and S := | v G 0} as the set of strategy variables. 

For each process p G P we introduce a set of strategy variables 5^ := {st, | u G Op} with 
the scope Cp := {c„ | v G Ip}. We take care of the input-output specihcations by restricting 
the paths such that Ppath •= Ai;e/no ~ holds, i.e., we only consider paths where 
the valuation of the strategy variables S representing the output variables is equal to the 
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valuation of the coordination variables / H O representing the input variables. The resulting 
formula for processes pi,... ,pn is 

> Sp-^ . . . 3Cp„ > ‘Ppath ^ ^ • 

The correctness of the encoding follows from the semantics of CL 3 and A = A^. D 

Realizability under Byzantine faults. We model the occurrence of a Byzantine fault 
as a modification of the architecture, where a process reading from some shared variable 
no longer reads the output written by the other process, but instead some arbitrary input. 
An implementation is fault-tolerant if it works both in the original architecture and in the 
modified architecture. We encode fault-tolerant realizability as CL 3 formulas of the general 
form 

^ = Qa- f\ (^pathi ^i) ) (2.4) 

l<i<n 

where the formulas are obtained from v^path by omitting constraints 0(0 = s), which 

indicates that there is a Byzantine fault on the shared variable s: the coordination variable 
c can deviate arbitrarily from s. 

A disadvantage of this encoding is that we can no longer partition the coordination vari¬ 
ables into internal and external variables, because the coordination variable c is external in 
the architecture where the shared variable is faulty and internal in the other architectures. In 
order to retain the partitioning, we use the following satisfiability preserving transformation 
partition{^): For each coordination variable c that is neither internal nor external, we intro¬ 
duce a fresh coordination variable c* that represents the external information given in the 
fault architectures. Consequently, we add the condition 0(0 = c*) to all path specifications 
V^path where c is not contained, thus, making the value c deterministic in all architectures. 
In the transformed formula partition{^), c is an internal coordination variable as its value 
is in every architecture uniquely determined and c* is an external coordination variable as 
it provides environmental input to the system. 

3. Counterexamples to Distributed Realizability 

We now introduce counterexamples to realizability, which are actually counterexamples to 
satisfiability for the CL 3 formula encoding the realizability problem. The satisfiability 
problem for a CL 3 formula in prenex form asks for an implementation for all strategy 
variables in the quantification prefix of the formula such that the temporal specification in 
the body is satisfied. 

Let 4* = Q 3 . be a CL 3 formula in prenex form over coordination variables C and 
strategy variables S, where the body of the formula is the LTL formula ip. A counterexample 
to satisfiability for <h is a (possibly infinite) set of paths V C (2^)^^, such that, no matter 
what strategies are chosen for the strategy variables in S, there exists a path a £ V that 
violates the body (p. Formally, V C (2^)'^ is a counterexample to satisfiability iff, for each 
s G S and every strategy fs ; (2'5“p®(^))* —)■ it holds that there exists a path a £ V 

such that a'^ I=ltl where T = 05g5((2'^“^''(^))*, fs). 

Proposition 3.1. A CL^ formula <I> over coordination variables C and strategy variables S 
is unsatisfiable if, and only if, there exists a counterexample to satisfiability V C . 

Proof. By the semantics of CL 3 and V = {2^)^. □ 
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The distributed realizability problem without faults corresponds to CL 3 formulas of the form 
where the (/7path defines the architecture A^: there is an edge from 
one strategy variable to another if the input-output specification occurs in A finite 

counterexample to satisfiability of ^ is a finite set of paths V C corresponding 

to external coordination variables Cext = {c | c is an external coordination variable in $}, 
such that for every implementation T there exists a path a ^ V such that an extension 
a ' G (2^)^^ of a violates ( p . We say that a ' G (2^)‘^ is an extension of a G if for 

all i > 0, it holds that cTj = a' n Cext- Note that the extension of a by the valuation of 
the internal coordination variables is uniquely specified by the input path a and the system 
implementation T. 

Proposition 3.2. A CL^ formula <1> = Q 3 . Ppath P over coordination variables C and 
strategy variables S is unsatisfiable if there exists a finite counterexample to satisfiability 
V C (2^“*)^^ of □ 

As an example consider again the CL 3 formula ( 2 . 1 ) 3{a} i>a;.3{6} >y.fii, corresponding 
to the architecture from Fig. 1(a) in the previous section. Let := 0(0 y ^ a), i-e., y 
must output the input a with an one-step delay. A simple counterexample for this formula 
consists of two paths Vi := { 0 *^, {a}‘^} that differ in the values of a, but not in the values 
of b. Since process y cannot distinguish the two paths, but must produce different outputs, 
this leads to contradiction. Consider the same formula for the pipeline architecture 
specified by (2.2) 3{a}>x. 3{6}>y.n(6 = x) fii- The formula is unsatishable due to the 
delay when forwarding the input a over shared variable b (cf. CL 3 semantics in Section 2, 
the current output of x is only visible to y in the next step). Vi is a finite counterexample 
in this case, too: Given an implementation of x and y, we extend both paths such that the 
input-output specification □ (6 = x) is satisfied. 

The fault-tolerant distributed realizability problem corresponds to CL 3 formulas of the 
form = Q 3 . Ai<i<n (v^pathi —>■ Pi)- Pi = P for all i, the formula states that there exists 
an implementation such that the specification p should hold in all architectures induced 
by the path specifications Ppat\- Omitted specifications □(& = x) in one of these formulas 
V^path represent an arbitrary communication error at input b in architecture i. In this case, 
a counterexample identifies for each implementation one of these architectures where a 
contradiction occurs. A finite counterexample to satisfiability of <h are n finite sets of paths 
T^i C ( 2 ^™*)"^ each corresponding to external coordination variables in the respective 
architecture i, such that for any implementation T there exists an architecture j and a path 
a G Vj such that an extension a ' G (2*^)'^ of a violates pj . 

Proposition 3.3. A CL^ formula <I> = Q 3 . Ai<i<n {Ppathi Pi) over coordination vari¬ 
ables C and strategy variables S is unsatisfiable if there exists a finite counterexample to 
satisfiability of ^. □ 

A counterexample for the CL 3 specification (2.3) 

3{a} > x, y. 3{b, c} > z. (□ (c = y) V’a) A (□ (6 = x) fis) 

introduces paths for inputs as well as for every faulty node such that some paths model the 
exact input-output specification and other paths model the arbitrary node failures. The 
node that reads from a shared variable can, in contrast to incomplete information, react 
differently on the given paths, but the reaction must be consistent regarding its observations 
on all paths. Consider for example the specification ■03 := (O 2 z ^ a) for the CL formula 
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(a) 


(b) 


Figure 3: 


Visual interpretation of the fault-tolerance specification (2.3): There exists a 
strategy for x, y, and z such that the specification is satisfied in both architectures. 


in (2.3), that is, process z should output the input a of nodes x and y. In both architectures, 
depicted in Fig. 3, we introduce additional paths for the coordination variable that is omitted 
in the input-output specification, i.e., b and c for the first and second conjunct, respectively. 
Process z cannot tell which of its inputs come from a faulty node. Since z must produce 
the same output on two paths it cannot distinguish, the implementation of z contradicts 
the specification in either architecture. 

4. Computing Finite Counterexamples 

We encode the existence of finite counterexamples to realizability as a formula of quantified 
propositional temporal logic (QPTL) [KP95]. QPTL extends LTL with a path quantifier 3p, 
where a path a € 2^ satisfies 3p. (p at position i > 0, denoted by a, i Pqptl (/?, if there 
exists a path a' € 2 ^^^^^^ which coincides with a except for the newly introduced atomic 
proposition p, such that a', i Pqptl P- We dehne the universal path quantiher Vp. (p as 
—'3p. -ip. In the following encoding, we use the path quantifier to explicitly name the paths 
in the counterexample. 

Distributed Realizability. We consider first the distributed realizability problem, repre¬ 
sented by CL 3 formula <I> = Qa.ppath —^ P- Before proceeding with the general encoding, 
we show an example query that encodes the existence of a counterexample to satishability 
of CL3 formula (2.2) 3{a} > x. 3{b} > y. □ (6 = x) —□ (O y ■<->■ o) by using two external 
paths, represented by the path variables ai and 02 . The QPTL query is 

3ai, 02 . Vxi, X 2 . Vyi, y 2 . , 62 • 

(xi = X2 7 ^ oi / 02) A (yi = y2 7 ^ 61 7^ 62) ( 4 . 1 ) 

/\ a{bi = Xi)A \/ OiOyi^ai) . (4.2) 

*€{ 1 , 2 } *€{ 1 , 2 } 

This query is satisfiable, one satisfying assignment for oi and 02 is {ai}0‘^ and 0'^, respec¬ 
tively. The assignments for bi is a (alpha renamed) copy of the assignment for Xi , satisfying 
the condition □( 6 * = xfi for i G { 1 , 2 }. As already mentioned in the previous section, the 
value of bi is uniquely determined by the strategies. Thus, we could optimize the query 
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by removing bi altogether. However, we need the distinction between reading and writing 
variables later in this section. 

The valuations of oi and 02 represent two paths in the computation tree of the original 
CL 3 formula. In the query above, the strategies for x and y are also evaluated on these 
two paths. To make the connection between the path variables xi and X 2 and the strategy 
variable x, we introduce consistency conditions between all paths considered in the query. 
These consistency conditions (4.1) state that valuations of universal path variables are only 
valid if they can be generated by the corresponding strategy. For example, the consistency 
condition for x, (xi = X 2 TZ ai ^ 02 ), states that ai and 02 must be different in some 
step i > 0 before xi and X 2 can be different in some step j > i. Hence, according to (4.1), 
xi = X 2 and yi = 1/2 hold in the first step. As hi = 62 holds in the first step as well, the 
consistency condition for yi = 1/2 extends to the second step as well. Hence, we have two 
paths, given by the assignments for ai and 02 , where ai and 02 differ in the first position, 
but yi = y 2 in the second position. Consequently, either (O yi ai) or (O 2/2 02 ) holds 

and we have obtained a counterexample to satisfiability of the CL 3 formula. 

In the following, we introduce the general encoding for computing finite counterexam¬ 
ples of CL 3 formulas = Q 3 . (/9path ^ by bounding the number of paths regarding the 
external coordination variables Cext- The bound on the number of paths is given as a func¬ 
tion AT : C —)■ N that maps each coordination variable to the number of branchings that 
should be considered for this variable. W.l.o.g. we can assume that K{c) = 0 for every 
internal coordination variable c € Cjnt- For example, for coordination variables a and b, and 
K{a) = K{b) = 1, we encode 4 different paths, one per possible combination for the two 
paths for each variable. We fix an arbitrary strict order ^ C C x C between the coordination 
variables. For a set C C C, we identify K{C) by the vector in where the position of 
the value K{c) for a coordination variable c € C is determined by For our encoding in 
QPTL, we use the following helper functions: 

• deps{v) returns the set of external coordination variables that influence variable v. An 
external coordination variable c € Cext influences variable v if there is a directed path 
from c to n in A^. For example in the architecture of Fig. 1(c), x, y, and z are influenced 
by a. A coordination variable is influenced by itself. 

• branches{C, K) returns the set of branches belonging to coordination variables C. A 

branch vr is referenced by a vector in and the set of branches is 

|(nci,... ,ncfl) I {ci A • • • A Cfc} = C and 1 < Uc < for all c G cj 

• paths {C, K) and strategies {S, K) represent the set of (path) variables in the QPTL for¬ 
mula that belong to the variables of the CL 3 formula. For a variable n G C U S it intro¬ 
duces for each branch tt G branches{deps( v), K) a separate variable p'^ that represents 
the variable v belonging to this branch tt. Formally, we define the sets 

paths{C,K) := {p(j. | c G C A vr G branches {deps (c), K)} and 

strategies{S, K) := | s G 5 A vr G branches {deps (s), K)} . 

• header{S,K) creates the alternating introductions of strategies and paths according to 
the (partial) order given the subset relation of the strategy variables on deps. For every 
strategy variable s G S we introduce all paths belonging to external coordination variables 
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c G deps{s) prior to s and avoid duplicate path introductions: 
header{S, K) := 3 paths{deps{si), K) y strategies{{si}, K) 

3 paths{deps{s 2 ) \ deps{si), K) y strategies{{ 32 }, K) 

3 paths{deps{sn) \ (^ deps{si)^, K) y strategies{{sn}, K) 

3paths{Cint) , 

where are ordered such that for all i, j with i < j < n, either deps{si) C 

deps{sj) or deps{sj) ^ deps{si), i.e., either deps{si) is a subset of deps{sj) or both are 
incomparable. 

• consistent{S, K) specifies the consistency condition for the variables belonging to the 
strategy variables on the different branches. The variables p%^,... ,p%^ belonging to a 
strategy variable s € S must be equal as long as the coordination variables in the scope 
of s on the branches tti, ..., tt^ are equal. This is expressible in LTL as we only consider 
a finite number of branches. In detail, the formula 

consistent{S, K) := /\ /\ {pi = pi, TZ { \/ pi ^ pl,)^ (4.3) 

sGS (tT, TT^) G c^Scope{s) 

branches{deps{s), K)^ 

states that for every strategy variable s G S' and every pair of branches (tt, tt') that belongs 
to s, we ensure that the valuation of s on these two branches differ only if one of the 
variables in the scope of s was different in a prior step. 

Finally, we define the QPTL encoding for CL 3 formula and function it' : C —)■ N as 

unsatdistK) := header{S, K). consistent{S, K) —)■ 

( A <i’path(vr)) A y , (4.4) 

7r£branches{C,K) 7rGbranches{C^K) 

where is the initialization of LTL formula ip on branch tt, that is we exchange v by 
pI, for V £ C L) S where tt' is the subvector of tt that contains the values for coordination 
variables in deps{v). 

Fault-tolerant Realizability. In the case of possible failures, the CL 3 formulas 4* have 
the more general form Qb- Ai<i<n (i^path^ ^i)- this setting, the set of coordination 
variables C is in general not partitioned into external and internal coordination variables. 
In the first step, we apply the transformation partition{^) given in Section 2 in order to get 
a partitioning into external and internal coordination variables. Furthermore, we generalize 
deps{v) to multiple architecture; An external coordination variable c G Cext influences 
variable v if there is a directed path from c to u in one of the architectures. The QPTL 
query for counterexamples to CL 3 formula <h and a bound on the number of paths, given 
by the functions Ki... Kn : C ^ N, is 

unsatfauiti^, Ki,... ,Kn) ■= header{S, K). consistent{S, K) -£■ 

V ( A <^pathi(vr)) A y -</Ji(7r)) , (4.5) 

l< 2 <n 7rGbranches{C,Ki) tt ^branches (C^Ki) 

where iL : C —)■ N is defined as K{c) := maxi<i<„ Ki{c) for every c £ C. 
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.r 

b 


(a) (b) 

Figure 4: Visualization of the two architectures given by the fault-tolerance specification 
3{a, c} > X. 3{6} 0 z, y. (□ ((c = y) A {b = x)) -A ip) A (o(c = y) ^ p'). In 
architecture (b), the link between shared variables b and x is faulty, hence, b is 
an external input. 


Consider the example formula 

3{a, c} > X. 3{6} 0 z, y. (□ ((c = y) A {b = x)) -A p) A {n {c = y) -i- p) 

that models the two-way pipeline architecture, depicted in Fig. 3, where the connection 
between shared variables b and x may fail. We apply the transformation partition{^) and 
get the formula 

3{a,c}>x.3{b}> z,y. {{c = y) A (b = x)) -A A [{c = y) A {b = b*)) -A , 

where b* is a free coordination variable. The QPTL encoding unsatf„yif(^*, Kt , Ko) with 
A-.(a) = A-,W = /f.(6-)=0aidK.((,-) = lis 

3a,bl,b2.yxi,X2,yi,y2,zi,Z2. 36i, 62 ,ci, C 2 . 

(xi = X 2 7e Cl / C 2 ) A (yi =y2TZbi^ 62 ) A {zi = z2Tlbi^ 62 ) 

^ □((£!= yi) A (61 = xi)) A-.(/?(!) (4.6) 


V 


A □((ci 
* 6 ( 1 , 2 } 


Vi) A {bi 



A 


V 

,* 6 ( 1 , 2 } 


(4.7) 


In difference to distributed realizability, the encoding states that there must be a violation 
of the specification in some architecture. Also, not every architecture is challenged with 
all paths, e.g., in the query (4.6) for the first architecture, we use only one path as the 
path specification states that the connection between b and x is correct, while in the second 
architecture (4.7) we use two paths that are generated by the external inputs 6 | and b^- 


Theorem 4.1 (Correctness unsatjauit)- Given a CLj formula $ = Q 3 . Ai<j<n {Vpathi -A pj) 
over coordination variables C and strategy variables S. ^ is unsatisfiable if there exist 
functions Ki ... : C —>■ N such that the QPTL formula unsat fault Ki, ■■■, Kn) is 

satisfiable. 


Proof. Let 4*^ be an arbitrary CL 3 formula after applying the transformation pariition{^) 
given in Section 2 in order to recover the partitioning into external and internal coordination 
variables. Assume there exists functions Ki... : C ^ N such that the QPTL formula 

unsatfauiti^'^ dLi,..., Kn) is satisfiable. From the satisfiability of this QPTL formula we 
construct the proof that the CL 3 formula 4>' is unsatisfiable (Proposition 3.3), i.e., that for 
all strategies there exists a path a that satisfies Vi<i<n (v^pathj A 

We introduce the following auxiliary notation for this proof. We define Prev{v) to be 
the set of variables that are quantified prior to v. PrevQ{v) denotes the set Prev{v) when 
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only considering the existential variables (<5 = 3), respectively universal variables {Q = V). 
For a variable v £ CUS and a branch vr, we dehne the branching operator v[ti] := ,, where 

tt' is the subvector of vr that contains only values for variables in deps{v). i;[ 7 r] is used to 
relate CL variables to QPTL variables, i.e., it selects the variable in QPTL formula that 
belongs to the branch vr. Note that one QPTL variable can belong to more than one branch, 
for example, n[ 7 r] = n[ 7 r'] if the branches vr and n' differ only in the values for variables not 
contained in deps{v). For V C C U 5, we write V[k] ;= {n[ 7 r] | n € C} for the set of QPTL 
variables belonging to the CL variables V on branch vr. 

Let be the strategy variables S ordered according to the subset relation 

on deps{s). Let a(s) : 2 '^®^ be an arbitrary strategy for strategy variable 

s G S and fix a set of strategies A = {a(s) | s G 5}. By the semantics of CL 3 we need 
to show that in the composition of these strategies 0 Q,eA ® there exists a path such that 
the LTL formula Vi<i<n (v^path^ A -'Pi) is satisfied. We build the paths that satisfy the 
LTL formula from the branches IT = branches{C, K) encoded in the QPTL formula. Let 
/?(c, tt) ; (^ 2 ^'i'ev^{c[-K])'juj be the valuation of the existential path variable in the 

QPTL formula belonging to coordination variable c on branch vr G If. Note that /3(c, vr) 
depends on all prior universal quantified variables, especially also on universal quantified 
variables (representing strategy variables) on different branches. The strategies /3(c, vr) for 
c G Cext correspond to the external coordination variables, while strategies /?(c, vr) for c G 
Pint correspond to the extensions defined in the finite counterexamples (Section 3). We 
view the existential quantified variables in the formula that correspond to the external 
coordination variables as inputs to our system strategies A and get the canonical tuple of 
paths V = {u-Ki, ■ ■ ■, o'TTfc)) one path C branch vr G If. 

In the construction of the paths V, we restrict a strategy as £ A io & single branch, 
that is the function : [2^cope{s)Y (2L1)‘^ where a^(cr) = as(€) •Q!s(cro) •Q!s(croCTi).... 
Let 7(5, vr) : ( 2 ^^s»' 3 (®W))‘^ —^ (2f®f)‘^ be the strategy corresponding to the strategy variable 
s G 5 in the QPTL formula for branch vr. We have to make sure that 7(5, vr) is not more con¬ 
strained than as, i.e., the QPTL path-strategies 7(5, vr) must be able to handle all behaviors 
of as- As deps{s)[ 7 r] C Prev3{s\'K\) the strategy 7(5,vr) subsumes the strategy a^, i.e., for 
every branch vr,..., vr^ we can embed every strategy as in strategies 7(5, vri),..., 7(5, vr„) 
when only considering these branches instead of the whole computation tree. We build the 
paths V according to the inductive definition for every vr G LI and i > 1 

7 = U <9(c,7(0"). 

c£deps{si) 

0 -^* = U a‘^.{al^-^\scope{s)), and 
= U /3(c,vr)(fj2Q , 

c€ deps{si) 

where a\v denotes the projection of path a to the variables V. 

Since the a^ are derived from the system strategies, it holds that they satisfy the 
consistency condition consistent {{s}, K) (4.3) in the QPTL encoding. From the satisfaction 
of the QPTL formula, we conclude that 

V ( A V^path. ('^) /\ \l 

l<i<n 7 rGbranches{C,Ki) 7 r£branches{C,Ki) 
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is satisfied, i.e., there exists an index i and branches = branches{C, Ki) such that 
yTz&Tii ^olds. From the first conjunct it follows that each path 

from V corresponding to a branch tt G Ilj satisfies the path specification (/7path- We 
conclude with the second conjunct that one of the branches from II violates the specifica¬ 
tion ipi. □ 

Corollary 4.2 (Correctness unsatdist)- Given a CL^ formula = QB-^Ppath P over 
coordination variables C and strategy variables S. < 1 > is unsatisfiable if there exists a function 
K : C ^ N such that the QPTL formula unsatdist K) is satisfiable. 

Remark 4.3 (Monotonicity of K). For the distributed synthesis encoding it holds that K is 
monotone with respect to the satisfiability of unsatdisti^, K), however, for the fault-tolerant 
synthesis this is not necessarily true because of the complex information dependencies be¬ 
tween different architectures. By increasing the number of paths for a coordination variable 
c in an architecture i where c is not involved in a fault, i.e., 0(0 = s) is contained in Ppath-j 
we restrict the choice of the environment in another architecture (where c could be involved 
in a fault). Hence, we have the following monotonicity condition: Ki... is monotone 
with respect to the satisfiability of unsatfauiti^, Ki, ..., Kn) if Ki{c) is only increased if c 
is not contained in the input-output specification Ppathi ■ 

Example. We consider again the Byzantine Generals’ Problem with three nodes gi, g2, 
and gs- The first general is the commander who forwards the input v that states whether 
to attack the enemy or not. The encoding as CL 3 formula is 

^bgp := 3{u} > 512,513• 3 {ci2} > 523- 3{ci3} > 532• 3{ci2, C32} > 52- 3{ci3, C23} > 53- 

{operational2^3 ^ consensus2p) A {operationali i ^ correctvali) , ( 4 . 8 ) 

ie{ 2 , 3 } 

where we use the following definitions 

operational2^3 ■= n{c23 = 923 A C32 = 532), 
operational I 3 := □ (ci2 = 512 A C13 = 513 A C32 = 532), 

operational I 2 ■= □ (ci2 = 5i2 A C13 = 513 A C23 = 523), 

consensusij := O3 (gi = 9j)-, and 
correctvali := u -f-)- O3 5i • 

The quantification prefix introduces the strategies for the generals 52 and 53, as well as 
the communication between the three generals as depicted in the architecture in Fig. 5(a). 
Note that we omit the vote of the commander 51 as it is not used in the specification. In 
the temporal part, we specify which failures can occur. The first conjunct, corresponding 
to Fig. 5(b), states that the commander is a traitor {operational2 3) which implies that 
the other two generals have to reach a consensus whether to attack or not {consensus2,3)■ 

The other two cases, depicted in Fig. 5(c)-(d), are symmetric and state that whenever one 

general is traitor the other one should agree on the decision made by the commander. The 
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C23 C23 C23 C 23 


(a) (b) (c) (d) 

Figure 5: The Byzantine Generals’ architecture. Figure (a) shows the architecture in cases 
all generals are loyal. Figures (b)-(d) show the possible failures, indicated by the 
dashed communication links. 


QPTL encoding unsatfauiti^hgp, Ki, K 2 , K^) is given as 

3paths{{v},K). \/strategies{{gi2,913}, K). 3paths{{ci2,ci3},K). 

V strategies{{923,932}, K ). 3 pat/is({c 23 , C32}, K ). V strategies{{92,9^}, K). 

eonsistent{{912,9i3,923,932,92,93}, K) ^ 

yy operational2^3 {t^) A \J ^consensus2^3{Tr)^ V 

nGbranches {C,Ki ) nGbranches (C,Ki) 

yy operational I A \J ^correetval 3 {TT)^ V 

TT ^branches (C ,i(’2) tt ^branches (C , K2 ) 

yy operational I 2{'^) A \/ -<correetval 2 {tt)^ 

TT ^branches {C,Ks ) tt ^branches (C, Kz ) 

By using the functions Ki for 1 < i < 3 which are defined as 
Ki{v) = K2{v) = K3{v) = l, 

Ki { ci 2 ) = Ki { ci 3 ) = K2 {c 23) = K3 {c 32) = 1 , 


and 0 otherwise, we get a satisfying QPTL instance and, hence, proved the unsatisfiability 
of $bgp- This resembles the manual proof for the Byzantine Generals’ Problem. In every 
situation where one of the generals is a traitor, one has to consider the possible deviations 
from the loyal behavior. 


5. Completeness 

In practice, finite external counterexamples are often sufficient to detect unrealizable speci¬ 
fications. In this section, we show that our method is in fact complete for the case of safety 
specifications and weakly ordered architectures. It turns out that if one of these restrictions 
is dropped, i.e., if one is interested in general LTL specifications, or in architectures that 
are not weakly ordered, then finite counterexamples may no longer exist, and the method, 
therefore, becomes incomplete. 

A universal safety (tree) automaton is a tuple U = {'E,T,Q,qQ,6) where S denotes a 
finite set of labels, T denotes a finite set of directions, Q is a finite set of states, qo £ Q 
the designated initial state, and 5 denotes the transition function. The transition function 
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5 : Q X S —)■ B^((5 X T) maps a state and a input letter to a positive and conjunctive 
Boolean formula over Q xT. We allow the abbreviations 5{q,a) = true and 6{q,a) = false. 

A S-labeled T-transition system is a tuple T = {T,to,T,o) where T is a finite set of 
states, to (z T is the designated initial state, r : T x T —T is the transition function, and 
o : T —S is the state labeling function. A universal safety automaton accepts a S-labeled 
T-transition system T if T has a run graph. A run graph is a directed graph Q = (G, E) 
that satisfies the following constraints: 

• The vertices G C Q x T are a subset of the product of Q and T. 

• The pair of initial states (goTo) G G is a vertex of Q. 

• For each vertex {q,t) G G, the set {(g',u) G Q x T | {{q,t), {q',T{t,v))) G E} satisfies 
a{q,o{t)). 

Since U is universal, the run graph on a transition system is unique. 

If we start with a temporal specification instead of a universal safety automaton, we 
first need the following transformations. As we only consider safety languages, we restrict 
the temporal specifications to syntactically safe [Sis94] formulas, i.e., LTL formulas where 
the only temporal operator is the weak until if W 'ip. (The weak until subsumes the globally 
operator □ ip, which is equivalent to fW false.) 

Proposition 5.1 ([KVOla]). Given a syntactically safe LTL formula ip, we can construct a 
non-deterministic automaton on finite words that accepts the (not necessarily minimal) 
good prefixes of the co-safety formula -^p. The size of is on 

Using this result, we build the universal safety automaton Up by simulating the automaton 
Af^p along each path: if each path is not a good prefix for the negation of p, then p holds 
on every path. 

Proposition 5.2. Given a syntactically safe LTL formula p, we can construct a universal 
safety automaton Up with states that accepts a transition system T if, and only if, 

T satisfies p. □ 

We use the bound on the size of a transition system that is accepted by a universal safety 
automaton U in order to derive a upper bound on the number of counterexample paths 
needed to refute the existence of an implementation. 

Proposition 5.3 ([FS13]). If a universal safety automaton U with n states accepts a tran¬ 
sition system, then U accepts a finite transition system T with (n!)^ states. 

Theorem 5.4. Given a syntactically safe LTL formula p over inputs I and outputs O, p 
is unrealizable if, and only if, there exists a finite counterexample. 

Proof. Let U be the universal safety automaton for p according to Proposition 5.2. By 
the contraposition of Lemma 5.3 it holds that U rejects all transition systems if U rejects 
all finite transition systems with (n!)^ states. Hence, all finite transition systems with size 
(n!)^ have a finite counterexample path in the run of U. We show that every minimal 
counterexample path is bounded hy d = (n!)^ • p, where p is the longest loop-free path in 
the safety automaton U. 

Assume by contradiction that there exists a transition system T of size (n!)^, where 
the length of the minimal counterexample path a & {Q x T)* exceeds d. As d is the size of 
the product of U and T, there must be a repetition on a, i.e., there exists i < j < |(t| such 
that a[i] = a\j]. Thus, we can shorten the counterexample to (To..i-i • violating our 

minimality assumption. 
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As the length of the minimal counterexample is bounded by d, all minimal counterex¬ 
amples are contained in the full tree of depth d that has ( 21 ^ 1 )'^ paths. D 

This argumentation can be generalized to weakly ordered architectures since we have an 
upper bound on the size of implementations, too. Given an architecture A and an imple¬ 
mentation for each process, we call the resulting system the distributed product according 
to architecture A as the system state consist of the product of the states of the process 
implementations. The meaning of the distributed product is a strategy ( 2 ^'=”*’) —)• 2^ that 
maps finite input sequences from the environment to the valuations of the process outputs. 

Proposition 5.5 ([FS05]). For a weakly ordered architeeture and a realizable specifieation (p, 
the size of the smallest implementation of every process is n-exponential, where n is the 
number of processes. 

Theorem 5.6. Given a syntactically safe LTL formula ip and a weakly ordered architecture 
A, p is unrealizable in A if, and only if, there exists a finite counterexample. 

Proof. Let U be the universal safety automaton for p. By Proposition 5.5 and the unrealiz¬ 
ability oi pin A it holds that there does not exist n-exponential strategies for the processes. 
Let ti,... ,tn be arbitrary n-exponential strategies for the n processes and T : ( 2 ^®™)* —> 2^ 
be the (n-exponential) distributed product according to architecture A. 

We choose a bound d that is greater than the size of the product of U and T. By the 
same argument as in the proof of Theorem 5.4, it follows that the length of the minimal 
counterexample for every such T is bounded by d, hence the number of paths is bounded 
by □ 

Proposition 3.1 states that the characterization of unsatisfiable formulas with counterex¬ 
amples is complete. Our method, however, searches for counterexamples involving only a 
bounded number of external paths. In general, this is not enough, as the following proposi¬ 
tions show. 

Proposition 5.7. For full LTL, the unrealizability of a specification does not imply the 
existence of a finite eounterexample. 

Proof. Consider the CL^ formula <I>inf := 3{x} > y. p\a{ with temporal specification (/ 9 inf := 
C>{y = x). is unsatisfiable because for every strategy fy : ( 2 'f*^)* ^ 2^^^ it holds that 
fy cannot correctly guess the future value of x on every path, as the formula is evaluated 
over the full binary tree that branches by the valuation of x (cf. CL 3 semantics in Section 2). 
Assume for contradiction that a finite set of paths P C suffices to satisfy -^pini = 

□ (y 7 ^ x) against every strategy fy. As there are only a finite set of paths P, there exists a 
level in the full binary tree such that every node in this level has at exactly one successor 
path in P. Choose the strategy fy that assigns the nodes in this level with one successor 
the labeling of the next input. Such a finite state strategy exists because the nodes in each 
level are distinguishable by the strategy. Hence, for all paths in P it holds that <0>iy = x) 
and thus no path satisfies -'Pini- D 

Proposition 5.8. For the architecture in Fig. 1(a), the unrealizability of a safety specifica¬ 
tion does not imply the existence of a finite eounterexample. 

Proof. Let D be a deterministic Turing machine that implements a unary counter. We 
use the encoding of D into the realizability problem of a safety LTL formula pd the 
architecture of Fig. 1(a) [Schl4]. There does not exist a finite state implementation that 
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satisfies ifo, but for every finite set of environment input paths, only a finite number of 
correct configurations of D can be asserted. Hence, for every such finite set of paths, there 
exists an implementation that fulfills these assertions. D 

6. Approximations 

Presently available QPTL solvers were unable to handle even small instances of our problem. 
In this section, we present two simplifications of the finite counterexample problem and their 
corresponding encodings. We consider the problem where we restrict the counterexample 
paths to a finite length by using a weak monadic second order logic of one successor (WSIS) 
encoding. Afterwards, we show a practical encoding in quantified Boolean formulas (QBF) 
that bounds the length of a counterexample path. We only consider the more general form 
of CL 3 formulas modeling the fault-tolerance case, i.e., = Q 3 . Ai<i<n (v^path^ —>■ Fi)- 

Prom QPTL to SIS. We give a short introduction to the monadic second-order theory 
of one successor (SIS) and show the equisatisfiable reduction from QPTL to SIS. Let Vi = 
{x, 2 /,... } and V 2 = {X, T,... } be finite sets of first-order and second-order variables, 
respectively. A term t is given by the grammar 

t ::= 0 I X I S{t) , 

where x is a first-order variable and S denotes the successor function of the natural numbers. 
We build formulas ip over terms by using the grammar 

p ::= t € X \ t = t \ \ p\/ p\ 3x. p \ 3X. p , 

where t is a term, x is a first-order variable, and A is a second-order variable. We define 
yx.p as -i3A.X ^ A as -■(x G A), and x y as -■(x = y). Furthermore, we use the 
abbreviations X CY = Vz. (z G A —z G A) and X = Y = X CY AY CA. 

The semantics of SIS is defined over first-order and second-order valuations fii : Hi —>■ cj 
and (T 2 : V 2 ^ 2“^, respectively. The semantics of terms is defined as 

• [0]ai = 0, 

• Mo-i = and 

• [5'(t)]ai =[t]ai+l, 

where t is a term and x G Pi. The semantics of formulas is defined as 

• cri,o -2 NsiS t G A e a 2 {X), 

• <Tl,Cr2 I=S1S h = t2 = [t2]cri, 

• (Ti,iT 2 bsis (Ti,iT 2 Psis P, 

• cri,cr2 Psis F'^'4’ (^l,cr 2 I=S1S F or ^^ 1 , 0-2 l=siS V’, 

-1 -1 / / \ Iif ?/A 2 ; / 1 

• fTi,o -2 I=sis 3 x.(/9 3a ^ oj. a\(y) = < . A fj^, 0-2 l=sis and 

I a otherwise 

• cri,f72 bsis dA.v? :4P3ACuj.a2{Y) = ^ ^ A ui, NsiS , 

I A otherwise 

where t,ti,t 2 are terms, p,fi are formulas, x,y G Pi, and A,P G P 2 . A formula p is 
satisfiable, if the exists first-order and second-order valuations iTi and 1 T 2 for the free variables 
such that iTi,(T 2 I=sis F- 
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It is well known that QPTL and SIS are equally expressive [SVW85]. We use the 
following transformation from QPTL to SIS. 

Lemma 6.1. For every QPTL formula (p there exists an equisatisfiable SIS formula f). 

Proof. We encode the (infinite) sequences in the QPTL formula as second-order valuations 
in the SIS formula. For a path variable p, we denote by the corresponding second- 
order variable. For a sequence p G (2'tP^)‘^ and the corresponding second-order valuation 
<T 2 (P^) C cj we impose the invariant that p G p* if and only if i G iT 2 (P^) for every i > 0. 
Given a QPTL formula (p over a finite set of atomic propositions S and an arbitrary SIS 
term t over Vi = 0. We dehne a SIS formula sls{p,t) over V 2 = {V^ | p G S} such that 
for all p G (2^)^^ it holds that p, Pqptl P if and only if ai,a 2 l=sis sls{p,t), where 
cr2{VP) = {f G CJ I p G Pi}: 

• sls{p, t) := t G VP, for p G S, 

• sls{-'p,t) := -^sls{p,t), 

• sls{pP il>,t) := sls{p,t) V sls{'4!,t), 

• sls{0 p,t) := sls{p, S{t)), 

• sls{p U tf, t) := 3y. {y >1 A sls{ip, y) A Mz. {t < z < y ^ sls{p, z))), and 

• sls{3p.p,t) := 3VP. sls{p,t) , 

where y and 2 : are fresh first order variables. Q 


Finite-length Connterexamples. When we restrict the counterexamples to finite length, 
we lose the ability to detect violations of liveness properties. Thus, we restrict the LTL spec¬ 
ifications Pi in to syntactic safety properties [KVOla]. As these specifications are negated 
in the encoding, the resulting LTL specifications describe co-safety properties [KVOla]. A 
property P C (2^)“^ is co-safety if every p ^ P has a good prefix, that is a prehx w G (2^)* 
of p such that for all p' G (2^)“^ it holds that w ■ p' ^ P. 

In the weak version of SIS, the second-order quantification is restricted to finite sets. 
While syntactically equivalent to SIS, we change the semantics l=sis by replacing the second- 
order quantification rule by 


O'!,<72 bwsis 3X.p 3finite set A C uj.a 2 {Y) 



if y ^ A . 

. A (Ti,(T2 Fwsis P ■ 
otherwise 


We dehne a SIS formula Fin{X) that asserts that the valuation of the second-order variable 
A is a hnite set: 

Fin(A) := dV. (ACTA {3y. y ^Y) A (Vz. {z ^Y ^ 5(2) ^ A))) . 

We dehne wsls{p, i) as sls{p, i) with the difference that we interpret the result of wsls{p, i) 
as a WSIS formula and we only apply it to co-safety LTL formulas. 

Lemma 6.2. Given a QPTL formula ^ = Q.p where p is a co-safety LTL formula. If 
wsls{^,0) is satisfiable then <I> is satisfiable. 

Proof. Let wsls{^, 0) be satishable. By Lemma 6.1, it suffices to argue that sls(<h, 0) is sat- 
ishable. First, we can extend any existential quantihcation 3A. p to inhnite quantihcation 
as the WSIS restriction to quantihcation over hnite sets are special cases of the SIS seman¬ 
tics (these where 3A. Fin{X) Ap holds). Next, we show that hnite universal quantihcation 
is as powerful as inhnite universal quantihcation. Consider the co-safety LTL formula p. It 
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holds that every satisfying assignment has a good prefix [KVOla]. Hence, the satisfaction 
of an infinite word p G (2^)‘^ depends only on a finite prefix. Thus, a satisfying assignment 
against universal quantified finite sequences implies the satisfaction against universal quan¬ 
tified infinite sequences. □ 

The WSIS encoding of CL 3 formula and functions Ki... Kn : C ^ N is 

unsat, Ki,... ,Kn) ■= header {S, K). eonsistent^^^^ {S, K) 

V ( A W) ( V wsis(-(/3i(7r),0)) , ( 6 . 1 ) 

l< 2 <n 7 T£branches{C^Ki) 7 T£branches{C,Ki) 

where K : C ^ N is defined as K{c) := maxi<i<„ifj(c) for every c € C. header'^^^^ 
introduces the second-order variables that correspond to the path variables x, but is 
otherwise identical to the QPTL version. Furthermore, uses second-order equivalence 

= pc consistency condition eonsistent^^^^ {S, K) in WSIS is defined 

as the conjunction of 

/\ {v: = v:,y3i>t).{\l v:,) a Vj <i.je ^ j g 

{ 7 r, 7 T')Gbranches(deps{s),K)‘^ c£Scope{s) 

for every s € S. This formula ensures different reactions of a universal variable on two 
branches is based on different prior valuations of the dependencies (cf. QPTL consistency 
condition (4.3)). 

We give an example query based on CL 3 formula (2.2) 3{a} > x. 3{6} > y. □ (6 = x) —>■ 
n (0 y a). The WSIS query is 

3Ai,A2.VXi,X2.VYuY2. 3Bi,B2. 

= X 2 V (3i ^ 0. (i G Ai ^ % G 2 I 2 ) A Vj Y i. j G Xi GA j G ^^ 2 )^ A 

^Yi = F 2 V (3i > 0. (i G Hi < 7 ^ i G B 2 ) A Vy < by G Yi GA y G 12 )^ —> 

f\ {Bi = Xi)A \J 3k > 0. {S{k) €Yi^keAi) . (6.2) 

*€{ 1 , 2 } *€{ 1 , 2 } 

Theorem 6.3 (Correctness unsatj^^il^). Given a CL 3 formula = Qa-Ai<i<n -A 

ipi) over coordination variables C and strategy variables S. Let (fi be a syntactically safe LTL 
formula for each 1 < i < n. ^ is unsatisfiable if there exists functions Ki ... Kn : C —> N 
such that the WSIS formula unsatKi,... ,Kn) is satisfiable. 

Proof. Assume unsat^^if^, Ki,..., Kn) is satisfiable. We show that this implies the sat¬ 
isfiability of unsatfauiti^, Xi,..., Kn) and use Theorem 4.1 that states the correctness of 
the QPTL encoding. Lemma 6.2 states that we only have to consider finite state sequences 
for the LTL specifications ipi. What is missing in the argumentation are the paths spec¬ 
ifications and the consistency condition consistent ^^K). The transformed 

path specifications are equisatisfiable under WSIS and QPTL semantics as the (existen¬ 
tial quantified) input variables appear after the (universal quantified) strategy variables 
in header {S, K). Lastly, the consistency condition restricts the finite behavior of the 
universal quantified strategy variables and the infinite behavior does not affect the satisfi¬ 
ability of the co-safety properties. Hence, there exists an infinite path extension for every 
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existentially quantified second-order variable, and the formula remains satisfiable against 
any infinite path extension of the universally quantihed second-order variables. D 

WSIS is supported by the Mona [HJJ+95] tool. Some of our smaller instances were solved 
by Mona, but the Byzantine Generals’ Problem failed due to memory constraints in the 
BDD library. 

Bounded-length Counterexamples. Taking the simplifications even further, we not only 
bound the number of paths but also the length of the paths by translating the problem to the 
satisfiability problem of quantified Boolean formulas ( QBF). Quantified Boolean formulas 
are the extension of Boolean formulas by quantification over variables. Let V = {ui ,... ,Vn} 
be a finite set of variables. The syntax of QBF is given by the grammar 

If X \ -<(p \ ipy ip \ 3x. ip , 

where x € V. We define the usual abbreviations A, V, true, false, —?>, and eA. The semantics 
is dehned over valuations a :V ^ {0,1}. The satisfaction of an valuation a is defined as 

• o- Nqbf X :<tA a{x) = 1, 

• <7 Nqbf <7 J^qbf f, 

• o- Nqbf V V’ fj Lqbf f ox a I=qbf V’, and 

• O' l=QBF v? :<tA 3a G {0, l}.fT'(2/) = 

The encoding translates a QPTL variable x to Boolean variables xq, ... ,Xk-i, each rep¬ 
resenting one step in the system where k is the length of the paths. We build the QBF 
formula by unrolling the QPTL formula unsat fault Ki,..., Kn) for k-steps: Each vari¬ 
able in the quantification prefix of the QPTL formula is transformed into k Boolean vari¬ 
ables in the QBF prefix, e.g., the 3-unrolling of 3x.yy.ip is 3xQ,xi,X2-'dyt)-,yi-,y2-funroii- 
The unrolling of the remaining LTL formula is given by the expansion law for Until, 
iplA'il) = fi\/{ip/\Ofhl'f’)- After the unrolling, the QBF formula is transformed into 
Conjunctive Normal Form (CNF) and encoded in the QDIMACS file format, that is the 
standard format for QBF solvers. Already with this encoding we could solve more examples 
than using the WSIS approach. 

Formally, we define the transformation function qbf{^, i, k) that takes a QPTL formula 
over alphabet S and transforms it into the /c-unrolling: 

• qbf{p,i,k) :=Pi, forpGS, 

• qbfhp, i, k) := ^pi, for p G S, 

• qbf{ipi o ip 2 ,i,k) := qbf{ipi,i,k) o qbf{ip 2 ,i,k) for o G {V, A}, 

qbf{ip, i + l,k) if i < k 
false otherwise ’ 

qbf{fi, i, k) V {qbf{ip, i, k) A qbf{ip U fi,i + 1, k)) if i < k 
false otherwise ’ 

• qbf{Qp.ip,i,k) := Qp^,... ,p^-^. qbf{ip,i,k) fox Q € {3,\/} . 

Corollary 6.4. Given a QPTL formula ^ = Q.ip where ip is a syntactically co-safe LTL 
formula. If qbf{^,0,k) is satisfiable for some k> 0 then is satisfiable. 



<x{y) if y fix 
a otherwise 


fi pQBF f 
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Figure 6 : Example for a dependency graph of the Byzantines’ Generals Problem. The graph 
identifies all variables that influence the variables used in the LTL specifications 
consensusij := Os {oi = gj) and conrectvaU := u -H- Os Qi (variables with red 
circle). All variables that do not influence the LTL formula can be safely removed, 
e.g., the input v in step 2 and 3 never reaches the strategies <72 and 5 ^ 3 . 


The QBE encoding of CL 3 formula and functions Ki... : C —N is 

unsat^^^l^, k,Ki,..., Kn) '■= header^^^{S, K, k). consistent^^^{S, K, k) —> 

V ( A V qbf{^ipi{TT),0 ,k)J , (6.3) 

l< 2 <n 7T£branches{C,Ki) 7T£branches{C,Ki) 

where iL : C —N is defined as K{c) := maxi<j<„ iLj(c) for every c G C and fe > 0. 
header^^^ introduces the variables that correspond to the path variables x, 

but is otherwise identical to the QPTL version. Eurthermore, uses the equivalence 

K<kis" c-)- c*) for 0(0 ■<->■ v). The consistency condition consistent^^^{S,K,k) in QBE is 
defined as the conjunction of 

A {/\ {si ^ si, V \j \j 

{7r,7r')£branches{deps{s),,K)‘^ i<k j<i cGScope{s) 

for every s G <S. This formula ensures different reactions of a strategy variable on two 
branches is based on different prior valuations to the dependencies (cf. QPTL consistency 
condition (4.3)). In this simple translation, one cause of high complexity is due to the 
consistency conditions between the strategy variables across different paths. However, most 
of these variables are not used for the counterexample itself but appear only in the consis¬ 
tency condition. One optimization removes these unnecessary variables from the encoding. 
Therefore, we collect all strategy variables and (when possible) their temporal occurrence 
from the LTL specification. Eor every used strategy variable we build the dependency graph 
that contains all variables which can influence the outcome of the strategy. In the last step, 
we remove all variables that are not contained in any dependency graph. This optimization 
is depicted in Eig. 6 . 
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Let US consider again the pipeline example given by the CL 3 formula (2.2) 3{a} i> 
X. 3{6} 0 y. □ (6 = x) ^ □ (O 2/ -H- a). The QBF encoding with unrolling depth of 2 is 

3a?, a?, a?, a^. Vx?, x?, x?, x^. Vy?, y?, y?, y^. 36?, 6 ?, 6 ?, b\. 

(x? ^ X?) A {x\ X2 V a? ^ a?)A 

(y? o y?) A {y\ o y^ V 6 ? ^ 6 ?) ^ 

A ^ ^ ^ *i)) V 


ie{l,2} 


ie{l,2} 


Theorem 6.5 (Correctness unsatj^f^). Given a CL 3 formula = Qa-Ai<i<n {}Ppathi 
ipi) over coordination variables C and strategy variables S. Let ipi be a syntactically safe LTL 
formula for each 1 < i < n. ^ is unsatisfiable if there exists functions Ki ... Kn : C —?> N 
such that the QBF query unsat^^^l^{^, k,Ki,..., Kn) is satisfiable for some k > 0. 


Proof. The encoding is a special case of Theorem 6.3. If the Boolean formula that is a 
hnite /c-unrolling of the LTL formula is satisfied against a finite sequence of length k, i.e., 
we found a counterexample within the first k steps, then it is also satisfied against any 
(possibly infinite) strategy. □ 


7. Experimental Results 

We have carried out our experiments on a 2.6 GHz Opteron system. For solving the QBF 
instances, we used a combination of the QBF preprocessor Bloqqer [BLSll] in version 031 
and the QBF solver DepQBF [LBIO] in version 3.0.3. For solving the WSIS instances, we 
used Mona [HJJ+95] in version 1.4-15. 

Byzantine Generals’ Problem. Table 1 demonstrates that the Byzantine Generals’ Prob¬ 
lem remains, despite the optimizations described above, a nontrivial combinatorial prob¬ 
lem: we need to find a suitable set of paths for every possible combination of the strate¬ 
gies of the generals. The bound given in the first row reads as follows; The first com¬ 
ponent is the number of branchings for the input variable v in all three architectures. 
The last three components state the number of branchings for the outputs of the faulty 
nodes in their respective architectures. For example, bound (1,1,0,0) means that we 
have two branches for v, C12, and C13, while we have only one branch for C23 and C32. 
More precisely, starting from constant zero functions Ki, K 2 , K^, the bound (1,1,0,0) sets 


Table 1: Result of the Byzantine Generals’ Problem example 


Bound 

( 0 , 0 , 0 , 0 ) 

( 1 , 0 , 0 , 0 ) 

( 1 , 1 , 0 , 0 ) 

( 1 , 1 , 1 , 0 ) 

( 1 , 1 , 1 , 1 ) 

Result 

Unsatisfiable 

Unsatisfiable 

Unsatisfiable 

Unsatishable 

Satishable 

# Clauses 

57 

228 

2286 

2904 

3522 

Variables 

44 

143 

1095 

1375 

1655 

Time (s) 

0.09 

0.16 

0.98 

1.01 

23.61 


The table shows the solving time of the Byzantine Generals’ Problem 4 ’bgp (Equation 4 . 8 ) 
using the QBF encoding with a fixed length of 3 unrollings. The QBF queries are solved 
using a combination of Bloqqer 031 and DepQBF 3 . 0 . 3 . 
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Ki{v) = K2{v) = Kz{v) = Ki{ci 2 ) = Ki{ciz) = 1 and K2{c23) = K3{c32) = 0. To prove 
the unrealizability, we need one branching for the input v and one branching for every coor¬ 
dination variable that serves as a shared variable for a faulty node, i.e., the bound ( 1 , 1 , 1 , 1 ). 
The number of branches and thereby the formula size grows exponentially with the number 
of branchings for the input variables. 


Table 2; Result of the Byzantine Firing Squad Problem example 


Instance 

Result 

if Clauses 

a Variables 

Time (s) 

bfsp_3 

Satisfiable 

803 

435 

0.21 

bfsp_5 

Satisfiable 

1773 

967 

0.43 

bfsp _10 

Satisfiable 

7348 

3942 

3.07 

bfsp _20 

Satisfiable 

42198 

22 042 

15.58 

bfsp_30 

Satisfiable 

128 648 

66 342 

66.29 

bfsp_40 

Satisfiable 

290 698 

148 842 

190.90 

bfsp_50 

Satisfiable 

552 348 

281 542 

396.20 


The table shows the solving time of the Byzantine Firing Squad Problem 
d>bfsp (Equation 7.1) using the QBF encoding with a fixed length of 3 
unrollings. The QBF queries are solved using a combination of Bloqqer 031 
and DepQBF 3.0.3. 

Byzantine Firing Squad Problem. We consider another classical consensus problem, the 
Byzantine Firing Squad Probem [FLM85]. In this setting, we have a set of synchronous pro¬ 
cesses, each having a distinct input and a broadcasting mechanism for communication with 
the other processes, depicted in Fig. 7(a). The goal of these processes is to synchronously 
enter a fire state whenever the input was initially given at one process. As before, we con¬ 
sider architectures with up to one faulty process, but in contrast to the Byzantine Generals’ 
Problem, we require that this specification holds only if all processes are correct. Further¬ 
more, we require that the non-faulty processes act uniformly, i.e., if a non-faulty process 
enters the firing state, all other non-faulty processes enter the firing state. It was shown 
in [FLM85] that there is no protocol that ensures correct behavior in the presence of faults. 
The encoding <hbfsp for three nodes is given by the CL 3 formula 

3{req^} > bcasti. 3{req]^, chan 2 i, chanai} i> outi. 

3{req2} > bcast2. 3{req2, chani2, chan32} > out2. 

3 {req 3 } c> beasts, ^{reqs, chanis, chan 23 } i> outs. 

(□ operational2 3 consistent2,3) A 
(□ operationally consistent 1^3) A 
(□ operational I 2 ^ consistent 1^2) A 

(□ operational I 2^3 — >■ consistent 1^2, 3 A uni/ormi 2,3) > ( 7 T) 
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where 


consistentN := □ /\ (out* = outj) and 

i<jGN^ 


uniform := 



(7.2) 


Table 2 shows that our method can detect conflicts quickly even though the CL^ encoding 
‘hbfsp grows quadratically in the number of nodes. 


CAP Theorem. The CAP Theorem due to Brewer [BreOO] states that it is impossi¬ 
ble to design a distributed system that provides Consistency, Availability, and Partition 
tolerance (CAP) simultaneously. For the encoding in CL 3 , we assume there is a fixed 
number n of nodes, that every node implements the same service, and that there are di¬ 
rect communication links between all nodes, depicted in Fig. 7(b). We use the variables 
reqj and out* to denote input and output of node i, respectively. The consistency and 
availability requirements are encoded as the LTL formulas ^ outj+i) and 

(Vi<j<„ reqj -fA (O 2 Vi<i<n partition tolerance is modeled in a way that there 

is always at most one node partitioned from the rest of the system, i.e., we have n different 
architectures and in every architecture all communication links to one node are faulty. For 
two nodes, we get the CL 3 formula ^hcap 

3{reqi} > comi. 3{reqi, chan 2 } > outi. 3 {req 2 } > com 2 . 3 {req 2 , chani} > out 2 . 

(□ (chani = comi) —> □ ((outi = out 2 ) A ((req^^ V req 2 ) O O 3 (outi V out 2 )))) A 

(□ (chan 2 = com 2 ) □ ((outi = out 2 ) A ((reqi V req 2 ) ^ O 3 (outi V out 2 )))) . (7.3) 

Table 3 shows that our method is able to find conflicts in a specification with an architecture 
up to 50 nodes within reasonable time. When we drop either Consistency, Availability, 
or Partition tolerance, the corresponding instances (AP, CP, and CA) become satisfiable. 
Hence, our tool does not find counterexamples in these cases. 


Table 3; Result of the CAP Theorem example 


Instance 

Result 

if Clauses 

a Variables 

Time (s) 

ap_2 

Unsatisfiable 

1232 

619 

0.41 

ca_2 

Unsatisfiable 

1408 

763 

1.11 

cp_2 

Unsatisfiable 

48 

42 

0.09 

cap_2 

Satisfiable 

no 

84 

0.11 

cap_5 

Satisfiable 

665 

426 

0.28 

cap_10 

Satisfiable 

2590 

1556 

1.07 

cap_25 

Satisfiable 

15 865 

9146 

20.60 

cap_50 

Satisfiable 

62 990 

35 796 

781.16 


The table shows the solving time of the CAP Theorem ‘f’cap (Equation 7.3) 
using the QBF encoding with a fixed length of 3 unrollings. The QBE 
queries are solved using a combination of Bloqqer 031 and DepQBF 3.0.3. 
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Figure 7: Broadcasting (a) and non-broadcasting (b) communication topologies. (We omit 
the environment process to increase readability.) 

Discussion. Table 4 shows a comparison of the the different encodings that we have pre¬ 
sented in the paper. There does not exist an algorithm that decides whether a given CL 3 
formula is unsatisfiable. We presented an approach that bounds the number of paths and 
used an encoding to QPTL. The reason for incompleteness was shown in Section 5: for live¬ 
ness properties one may need infinitely many paths to show unsatisfiability. Our encoding 
in WSIS (Mona) loses the ability to find counterexample paths of infinite length, e.g., the 
CL 3 formula 

30c>y.On(O y ^ x) (7.4) 

with free coordination variable x is unsatisfiable and two paths that are infinitely often 
different are sufficient to prove it. The QPTL encoding is capable of finding these paths 
while neither the WSIS, nor the QBF, encoding is applicable. However, Mona failed to 
solve larger instances from Tables 1 to 3, especially it could not handle the encoding of 
the Byzantine Generals’ Problem. For the translation to QBF we bounded the length of 
the paths to k where k is an additional parameter. With this encoding we approximate 
the reactive behavior of our system by a finite prefix. Despite this restriction, we could 
prove unsatisfiability for many interesting specifications from literature. In some instances, 
the WSIS approximation provides stronger unrealizability guarantees. For example in the 
Byzantine Firing Squad Problem, the WSIS encoding is able to prove that any finite uniform 
reaction 

uniform ;= V reqj ^ O V 

\i&N / \ieN / 

leads to an unrealizable instance (cf. Table 4), while in the QBF encoding, we have to 
bound the uniform reaction (7.2) to a fixed length. In practice, one would first use the QBF 
approximation in order to find “cheap” counterexamples. After hitting the number of paths 
that the QBF solver can no longer handle within reasonable time, one proceeds with more 
costly approximations like the WSIS encoding. 
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Table 4; Comparison of different encodings 



independent 

(2.1) 

pipeline 

(2.2) 

join 

(2.3) 

bgp 

(4.8) 

bfsp 

(7.1) 

cap 

(7.3) 

infinite 

(7.4) 

bfsp-finite 
(7.1),(7.5) 

QPTL 

/ 

(/) 

(/) 

(/) 

(/) 

(/) 

/ 

(/) 

WSIS 

/ 

/ 

/ 

(/) 

/(5) 

/(6) 

- 

/(5) 

QBF 

/ 

/ 

/ 

/ 

/ 

/ 

- 

- 


The table compares the expressiveness of the encodings and the experimental verifia¬ 
bility on the examples presented in this paper. The (/) symbol denotes that the tool 
failed to solve the query, the number behind the checkmark indicates up to how many 
nodes the query was successful. We used GOAL, Mona 1.4-15, and a combination of 
Bloqqer 031 and DepQBF 3.0.3 for the QPTL, WSIS, and QBF queries, respectively. 

8. Beyond the Byzantine Fault Model 

We formalize the fault-tolerant synthesis problem regarding multiple types of faults, their 
durations, observability, and the fault-tolerance requirements and provide a uniform encod¬ 
ing into CL 3 . Faults are modeled by allowing the environment to take over the control of 
the faulty processes. 

Types of Faults. We review types of faults that were considered in previous work [DS 86 , 
AAE04,DF09]. Stuck-at faults occur when a process stops reacting on new inputs and 
keep their last outputs. On fail-stop faults or crashes the process halts immediately, i.e., 
they stop producing any outputs. While fail-stop faults are detectable, crashes are not 
detectable [DS 86 ]. Omission faults subsume these faults and are characterized as failures 
on the specified input-output specification. The most general fault type are the Byzantine 
faults, where a process can deviate arbitrarily from its specification, even in a malicious 
way. 

The duration of a fault can be permanent, intermittent, or transient. Some failures may 
be detectable or undetectable depending on the architecture and the type of fault. 

Lastly, the system usually has to fulfill different kind of specifications in the presence 
of faults and we use the classification of fault-tolerance requirements from [DF09]: Masking 
tolerance means that the system has to fulfill both safety and liveness specifications, non¬ 
masking tolerance allows the system to temporarily violate its safety properties while fail¬ 
safe tolerance specifies that after a fault, only the safety requirements have to be fulfilled. 

Fault-tolerance Specifications. For simplicity, we restrict the failures to processes, but 
it can be easily adapted to failures of individual communication links. Consider an ar¬ 
bitrary architecture A = {P,penv, {Ip}peP, {Op}p£p). A fault-tolerance scenario F is a 
tuple {Pf,T,D, Obs,(p) where Pf C P is a subset of processes that simultaneously suf¬ 
fer from a fault of type T G {stuck-at, fail-stop, omission, Byzantine} and duration D G 
{permanent, intermittent, transient}, Ohs G {T,T} denotes the observability, and (p is an 
LTL formula specifying the fault-tolerance requirements. Not all combinations of fault types 
and durations are possible, e.g., stuck-at faults and fail-stop faults are always permanent. 
A fault-tolerance specification P is a set of fault-tolerance scenarios. 
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Fault-tolerant Realizability. The distributed fault-tolerant realizability problem is to 
decide, given an architecture A and a fault-tolerance specification T, whether there exists 
a finite state implementation for the processes in A such that the system satisfies the 
fault-tolerance specification We formalize this problem by giving a CL 3 formula <1> = 
Qb- Afgt {v’pathp fp) that models the description of the fault-tolerance scenarios given 
above. 

Consider an arbitrary architecture A = {P,penv, {Ip}p<=P, {Op}p<=p) and a fault-tolerance 
specification T. Using Theorem 2.1 we get the CL 3 encoding T = Q 3 . (ppath —^ V? of the 
distributed realizability problem for architecture A and an arbitrary LTL formula p. For 
every fault-tolerance scenario F € T", we introduce a new architecture that modifies the 
input-output specifications for processes affected by F according to the scenario. We de¬ 
note the resulting path specification by the LTL formula Ppathp and the fault-tolerance 
requirement for F as pp. The resulting CL 3 formula contains a conjunct over all scenarios 


F: 


^ = Qb- /\ {^pathp ^p) 

FeP 

We now define the path specifications (ppathp- Let F = {Pf,T,D, Obs,(pp) be a fault- 
tolerance scenario. For every process p £ Pf we introduce a fresh coordination variable 
fault p that immediately signals whether a fault occurred at process p in the last step. If 
the faults are observable {Obs = T) we extend the scope of every strategy variable by 
{faultp I p £ 

Let Ppathp = ^path = Aj;G/no Q We remove every conjunct □(c„ = s„) from 

ppathp where v £ Op^ is the output of a faulty process. For every v £ I we add the 

following new constraints to Ppathp depending on the type of faults T. For readability, we 
replace faultp by fault, c„ by i, and by o. 

• T = stuck-at: [{^fault A (f = o)) W (□ fault A f -H- O □ f) • 

• T = fail-stop: [^fault A {i = o)) W (o (fault A -■f)). 

• T = omission: □ (fault A -if V -'fault A (i = o)). 

• T = Byzantine: □ (fault V -'fault A (i = o)). 

Lastly, we add a requirement for every faultp variable regarding the specified duration D: 


• D = permanent: fault W (□ fault) 

• D = intermittent: DO ~^fault. If we want to have tighter control about the duration 
of faults we can use the parametric LTL operators [AELPOl] to bound the length n of 
a fault □ 0 <n ~^fault, or require that length of a correct behavior is longer than m by 
formula □ (fault -A fault U (-'fault fault)). 

• D = transient: ^fault W (fault U<n □ -'fault) where n is the maximal duration of the 
fault. 


We simplify the undetectable permanent fault encoding by removing the fault variables, as 
these variables are not used in the specification. Our formulation allows for many types 
and durations of faults that cannot be captured with a fault-tolerance scenario. Indeed, 
it is possible to use arbitrary LTL formulas to specify the type and duration of a fault. 
Computing counterexamples for these general types of faults can be integrated into the 
method described in Section 4. 


2 


These signals are called fault-notification variables in [DF09] as only detectable faults were considered. 



30 


FINKBEINER AND TENTRUP 


9. Conclusion 

We have introduced counterexamples for distributed realizability and shown how to auto¬ 
matically derive counterexamples from given specifications in CL 3 . We used encodings in 
QPTL, WSIS, and QBF. In our experiments, the QBF encoding was the most efficient. 
Even problems with high combinatorial complexity, such as the Byzantine Generals’ Prob¬ 
lem, are handled automatically. Given that QBF solvers are likely to continue to improve 
in the future, even larger instances should become tractable. In future work, we plan to 
extend the method to a larger class of infinite counterexamples, which will support live¬ 
ness specifications. Furthermore, we want to investigate approximation techniques for more 
general types of faults. 
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